WebLogic Security Service Architecture 5-7 Figure 5–8 Credential Mapping Process The credential mapping process is initiated when application components, such as JavaServer Pages JSPs, servlets, Enterprise JavaBeans EJBs, or Resource Adapters call into the WebLogic Security Framework through the appropriate resource container to access an Enterprise Information System EIS, for example, some relational database like Oracle, SQL Server, and so on. As part of the call, the application component passes in the subject that is, the who making the request, the WebLogic resource that is, the what that is being requested and information about the type of credentials needed to access the WebLogic resource. The WebLogic Security Framework sends the application components request for credentials to a configured Credential Mapping provider that handles the type of credentials needed by the application component. The Credential Mapping provider consults its database to obtain a set of credentials that match those requested by the application component and returns the credentials to the WebLogic Security Framework. The WebLogic Security Framework passes the credentials back to the requesting application component through the resource container. The application component uses the credentials to access the external system.

5.1.9 The Certificate Lookup and Validation Process

During the certificate lookup and validation process, CertPath Builders, CertPath Validators, and the Certificate Lookup and Validation CLV framework all interact. The process for building certificate chains works as follows: 1. The CLV framework is passed a certificate chain and a cert path selector either the end certificate, the Subject DN, the Issuer DN plus serial number, andor the subject key identifier from either a WebLogic Web service or application code. 2. The CLV framework calls the CertPath Builder to locate the certificate chain and validate it. When using Web services, the CLV framework passes the servers list of trusted CAs to the provider. Application code passes in a list of trusted CAs to the provider. 3. If the certificate chain is found and valid, the CLV framework calls any CertPath Validators configured in the security realm the order they were configured. The certificate chain is only valid if the CertPath Builder and all the configured CertPath Validators successfully validate it. 4. The CLV framework returns the certificate chain to the requesting party. 5. Processing continues. The process for validating certificate chains works as follows: 1. The CLV framework is passed a certificate chain and a cert path selector either the end certificate, the Subject DN, the Issuer DN plus serial number, andor the 5-8 Understanding Security for Oracle WebLogic Server subject key identifier from the SSL protocol, a WebLogic Web service, or application code. 2. The CLV framework ensures calls the certificate chain is ordered and each certificate in the chain signs the next. 3. If the certificate chain is valid, the CLV framework calls any CertPath Validators configured in the security realm the order they were configured. The certificate chain is only valid if all the configured CertPath Validators successfully validate it. Validation stops if an error occurs. 4. The CLV framework returns the certificate chain to the requesting party. 5. Processing continues.

5.2 Single Sign-On with the WebLogic Security Framework